Categories
Compliance and AI

Compliance and AI: Episode 1 – Ant Stevens on Incorporating AI into Your Compliance Program

What is the role of Artificial Intelligence in compliance? What about Machine Learning? Are you using ChatGPT? We will explore these three questions in this exciting new podcast, Compliance, and AI. Hosted by Tom Fox, the award-winning Voice of Compliance, this podcast will look at how AI will impact compliance programs into the next decade and beyond. If you want to find out why the future is now, join Tom Fox on this journey to the frontiers of compliance.

In this inaugural episode of Compliance and AI, Tom Fox interviews the CEO and President of 6Clicks, Ant Stevens, who explains that generative AI refers to systems that transform inputs into outputs and generate something obvious, like an image, video, or text. The AI works based on an underlying corpus, a kind of brain or reference point. Generative AI outputs are generated based on a corpus of information, making them an effective tool for companies to improve risk and compliance management.

They discuss the latest version of Generative AI, GPT 3, which allows companies to generate more text, images, and videos. The conversation also delves into the benefits of AI in content creation and policy overview creation. The podcast emphasizes the importance of prompt engineering and human input in decision-making. Stevens shares his belief that we are only scratching the surface of what we can do with artificial intelligence and encourages companies to embrace its potential. Get ready to be empowered and leap into the exciting world of Compliance and AI.

Key Insights

1. Incorporate generative AI into your risk and compliance management systems. Generative AI can help automate the compliance process and reduce human error in tracking and managing compliance requirements.

2. Train employees on how to use generative AI platforms. Employees trained on generative AI platforms can better understand their compliance requirements and reduce the risk of violations.

3. Stay current with the latest developments in generative AI technology. Companies that keep up with the latest advancements in generative AI technology can better understand how it can impact their business operations and take advantage of new opportunities.

If you’re interested in learning more about the potential applications of generative AI in risk and compliance, you should listen to the podcast. Stevens shares his insights into how 6clicks uses generative AI to help companies manage risk and compliance requirements more effectively.

Key Quote

“Generative AI refers to systems that effectively transform inputs into outputs, and the outputs generate something obvious, whether it’s an image or video, a slap of text, something like that.”

Resources

Ant Stevens on LinkedIn

6Clicks

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Innovation in Compliance

Series Spotlight: Revolutionizing GRC with 6clicks: Part 5 – What’s Next For 6clicks?


Welcome to this special podcast series, Series Spotlight: Revolutionizing GRC with 6clicks, sponsored by 6clicks. This week I have visited with Joe Schorr, Vice President (VP) of Global Channel Sales, Andrew Robinson, co-founder and Chief Information Security Officer, Stephen Walter, head of Marketing, Dr. Heather Buker, Chief Technology Officer, and Ant Stevens, co-founder and Chief Executive Officer. Over the series, we broke down 6ckicks Hub and Spoke approach, utilizing Artificial Intelligence (AI) and Machine Learning in governance, risk and compliance (GRC), curating and maintaining a robust GRC content, producing audit ready reports. Today, in our concluding episode, Part 5, I am joined by 6clicks co-founder Ant Stevens, as we look down the road for what will be next for 6clicks.
Stevens said that 6clicks was founded some two and half years ago to bring an affordable, accessible and easy to use, GRC capability to lots of businesses around the world. The second related mission “was to ensure that the platform was effective in driving productivity gains for both businesses and advisors and by advisors such as lawyers, accountants, general business management consultants and business advisors. These goals were achieved through a platform built from the ground up. We thought about GRC, we identified some things that were necessary for us to have in place to compete effectively in the market.”
There are other areas which Stevens believes are necessary to support the next generation of GRC products. 6clicks broke down the foundational building blocks into effectively four areas. The first was a functionality that supports the processes related to GRC. The second was content; “audit and assessment templates, risk libraries, policies, and controls sets, standards, rules, and regulations, basically all of the text or the reference points that companies need in order to make that functionality work.”
Next Stevens said, “we saw the future and we certainly see the future as having artificial intelligence baked into lots of areas of the products and the reason for that.” This last component allows a compliance or GRC professional “to take complex activities or time-consuming activities and make them a lot easier.” All of this is built around 6clicks platform, or “what we call a hub and spoke type approach which I know you discussed in Part 1 with Joe Schorr.” This makes the tool quite “useful for multinationals, with lots of divisions, useful for private equity companies, useful for holding companies. These are the four building blocks that 6clicks focuses on and we keep making those things better. That is what creates a foundation for us in terms of innovation.”
We turned specifically to AI. Here Stevens sees the application of AI into two buckets. The first is to help businesses automate or streamline what otherwise would be a complex and time-consuming activity. The second is to identify things in data that even a professional would struggle to do effectively, without the use of some sort of technology. That is what I have called ‘finding patterns in raked leaves.’
Here Stevens turned to Haley, the 6clicks AI intelligence engine. Now “Haley helps companies with two major challenges. One is to identify similarity across standards, laws, or regulations that they need to comply with. Most are still doing this using manually spreadsheets, multiple tabs and feed lookups. There is overlap across multiple jurisdictions around the world which are generally seeking to do similar things. Businesses need to think about that in a unified way. Haley’s first application is identifying similarity across standards, laws or regulations. The second challenge is to take an existing control framework within a company and quickly identify where the gaps are relative to a standard law regulation.”
These functions are what compliance and GRC professionals do all the time. While they can do  this manually with “Haley you can do that in seconds. I think the opportunity in the GRC space is to continue to apply artificial intelligence and those sorts of ways. But also to start to think about how we can use artificial intelligence to identify trends in data or insights into data that otherwise would be difficult to identify.” Stevens provided the example of taking incidents and looking for those that might be demonstrating a broader trend or an issue within an organization. Alternatively, trying to understand overlap between different risks so we can develop treatment plans and remediation activities can be more effectively targeted.
I asked Stevens if he could look down the road a bit and perhaps give us a teaser about what 6clicks might be developing. He said, “it is around our mission focusing on making GRC affordable and accessible for businesses. In the long-term, I think there is much to further automate processes for advisors, and we’re going to focus on that. To me that represents huge opportunity for innovation. We are going to look at tools, techniques to enable GRC professionals make all of this more of a reality.” Another initiative is what Stevens termed “a marketplace” which can be “be tailored by advisors for their clients. What we want to do is take this concept to the next level and allow individuals to seamlessly share, as part of their community, in a crowdsource context, both content and best practices that they have identified within the 6clicks platform and make that available to all the 6clicks users around the world.” Most excitingly for me Stevens added, “we want to bring that same sort of capability into the world of risk and compliance.”
I concluded by asking Stevens about his innovation philosophy ensuring you hit the mark, in innovation recognizing there are multiple players just in the innovation process in the GRC and wider risk and compliance space. He said, “for us at 6clicks, we have a three horizon model in the way that we think about innovation. The first is to focus obviously on the very immediate needs that customers have things that might not be working the way they expect, to things that could be improved very obviously based on feedback. The second is things in the near term, which is a combination of things that people have told us that they need and things they have expressed some sort of interesting having.” The third and final horizon is a combination of the 6clicks “view of where the opportunity lies in terms of improvement. We strike a balance in being sufficiently bold about the future that we see, but at the same time grounded in it and getting feedback from customers. In this third horizon we think about innovation manner, as in the way that we think the world should work, which requires a lot of creativity.”
Stevens ended by relating “we try and get the balance right there. It’s not easy. It’s very tough. But that is the way we think about our engineering philosophy and innovation philosophy. It influences the type of people that we attract or that are keen to work with us. We share that focus of short, medium, long-term thinking.”
For more information on 6clicks, check out their website here.

Categories
Blog

What’s Next For 6clicks?

I recently had the chance to visit with 6clicks co-founder Ant Stevens, as we look down the road for what will be next for 6clicks, for a sponsored podcast series. You can check out the podcast here. Stevens said that 6clicks was founded some two and half years ago to bring an affordable, accessible and easy to use, GRC capability to lots of businesses around the world. The second related mission “was to ensure that the platform was effective in driving productivity gains for both businesses and advisors and by advisors such as lawyers, accountants, general business management consultants and business advisors. These goals were achieved through a platform built from the ground up. We thought about GRC, we identified some things that were necessary for us to have in place to compete effectively in the market.”
There are other areas which Stevens believes are necessary to support the next generation of GRC products. 6clicks broke down the foundational building blocks into effectively four areas. The first was a functionality that supports the processes related to GRC. The second was content; “audit and assessment templates, risk libraries, policies, and controls sets, standards, rules, and regulations, basically all of the text or the reference points that companies need in order to make that functionality work.”
Next Stevens said, “we saw the future and we certainly see the future as having artificial intelligence baked into lots of areas of the products and the reason for that.” This last component allows a compliance or GRC professional “to take complex activities or time-consuming activities and make them a lot easier.” All of this is built around 6clicks platform, or “what we call a hub and spoke type approach which I know you discussed in Part 1 with Joe Schorr.” This makes the tool quite “useful for multinationals, with lots of divisions, useful for private equity companies, useful for holding companies. These are the four building blocks that 6clicks focuses on and we keep making those things better. That is what creates a foundation for us in terms of innovation.”
We turned specifically to AI. Here Stevens sees the application of AI into two buckets. The first is to help businesses automate or streamline what otherwise would be a complex and time-consuming activity. The second is to identify things in data that even a professional would struggle to do effectively, without the use of some sort of technology. That is what I have called ‘finding patterns in raked leaves.’
Here Stevens turned to Haley, the 6clicks AI intelligence engine. Now “Haley helps companies with two major challenges. One is to identify similarity across standards, laws, or regulations that they need to comply with. Most are still doing this using manually spreadsheets, multiple tabs and feed lookups. There is overlap across multiple jurisdictions around the world which are generally seeking to do similar things. Businesses need to think about that in a unified way. Haley’s first application is identifying similarity across standards, laws or regulations. The second challenge is to take an existing control framework within a company and quickly identify where the gaps are relative to a standard law regulation.”
These functions are what compliance and GRC professionals do all the time. While they can do  this manually with “Haley you can do that in seconds. I think the opportunity in the GRC space is to continue to apply artificial intelligence and those sorts of ways. But also to start to think about how we can use artificial intelligence to identify trends in data or insights into data that otherwise would be difficult to identify.” Stevens provided the example of taking incidents and looking for those that might be demonstrating a broader trend or an issue within an organization. Alternatively, trying to understand overlap between different risks so we can develop treatment plans and remediation activities can be more effectively targeted.
I asked Stevens if he could look down the road a bit and perhaps give us a teaser about what 6clicks might be developing. He said, “it is around our mission focusing on making GRC affordable and accessible for businesses. In the long-term, I think there is much to further automate processes for advisors, and we’re going to focus on that. To me that represents huge opportunity for innovation. We are going to look at tools, techniques to enable GRC professionals make all of this more of a reality.” Another initiative is what Stevens termed “a marketplace” which can be “be tailored by advisors for their clients. What we want to do is take this concept to the next level and allow individuals to seamlessly share, as part of their community, in a crowdsource context, both content and best practices that they have identified within the 6clicks platform and make that available to all the 6clicks users around the world.” Most excitingly for me Stevens added, “we want to bring that same sort of capability into the world of risk and compliance.”
I concluded by asking Stevens about his innovation philosophy ensuring you hit the mark, in innovation recognizing there are multiple players just in the innovation process in the GRC and wider risk and compliance space. He said, “for us at 6clicks, we have a three horizon model in the way that we think about innovation. The first is to focus obviously on the very immediate needs that customers have things that might not be working the way they expect, to things that could be improved very obviously based on feedback. The second is things in the near term, which is a combination of things that people have told us that they need and things they have expressed some sort of interesting having.” The third and final horizon is a combination of the 6clicks “view of where the opportunity lies in terms of improvement. We strike a balance in being sufficiently bold about the future that we see, but at the same time grounded in it and getting feedback from customers. In this third horizon we think about innovation manner, as in the way that we think the world should work, which requires a lot of creativity.”
Stevens ended by relating “we try and get the balance right there. It’s not easy. It’s very tough. But that is the way we think about our engineering philosophy and innovation philosophy. It influences the type of people that we attract or that are keen to work with us. We share that focus of short, medium, long-term thinking.”
For more information on 6clicks, check out their website here.

Categories
Innovation in Compliance

Series Spotlight: Revolutionizing GRC with 6clicks: Part 4 – Producing Audit-Ready Report with 6clicks Pixel Perfect™


Welcome to this special podcast series, Series Spotlight: Revolutionizing GRC with 6clicks, sponsored by 6clicks. This week I visit with Joe Schorr, Vice President (VP) of Global Channel Sales, Andrew Robinson, co-founder and Chief Information Security Officer, Stephen Walter, head of Marketing, Dr. Heather Buker, Chief Technology Officer, and Ant Stevens, co-founder and Chief Executive Officer. Over the series, we will break down 6ckicks Hub and Spoke approach, utilizing Artificial Intelligence (AI) and Machine Learning in governance, risk and compliance (GRC), curating and maintaining a robust GRC content, producing audit ready reports, and look at what’s next for 6clicks down the road. In Part 4, I am joined by 6clicks Chief Technology Officer, Dr. Heather Buker and we take up producing an audit-ready report with 6clicks Pixel Perfect™.
Buker is the transitional resource who takes the engineering and tech part of the 6clicks solution and puts it into a workable solution for customers. She says of herself, “you can see me, affectionately, as a translator if you will of the product and functionality and how that translates to business use cases, value propositions and things that clients really care about.” She went on to note, “functionality is only as good as the value proposition that it serves. I am here to make sure that those two things meet. I’m kind of the bridge.”
It used to be that the byword for data and data processing was GIGO (garbage in, garbage out). However, now it has evolved to “data is only as good as what you can get out of it. So, it’s not enough to just collect the data and give organizations a sort of single source of truth for their GRC programs anymore. Right? That’s what every SAS solution in the GRC space is really striving for. But, furthermore, users want easy, efficient ways to get that data out of the tool. So, it’s always a bit of an uphill battle when it comes to reporting, you know, there’s a constant flow of new requirements. Every organization has a different use case that needs supporting et cetera, and users have to be able to get their GRC data out of the tool and make it digestible for a wide variety of audiences. And that’s really the key right there. The wide variety of audiences we’re trying to satisfy with reporting needs, what good is it to track their risk and compliance data? If they can’t show/prove to an auditor or their Board members on their current risk posture at the monthly meeting, simply put it isn’t. So, assets reporting is, and frankly always will be, a critical piece of the GRC SAS solution puzzle”.
The problem that the 6clicks Pixel Perfect™ helps solve is repeatability. As Buker explained, “The more we can make GRC processes repeatable, even when it comes to reporting, the easier our platform will be to use and the more widely adopted we can become. To solve for this in the reporting world, we decided to automate report generation.” I asked her for an example, and she said, “6clicks Pixel Perfect™ can take a completed PCI DSS assessment and return Section Six of the report on compliance, filled out an audit ready.” This means a template mandated by the Security Standards Council to drive this functionality and ensure the report is ready to be submitted and properly formatted when generated. All an organization has to do is complete their PCI assessment and the platform will perform our “6clicks magic on the other side and deliver the PCI form from those assessment results minus all of the hassle. We are talking hours upon hours of time savings for QSAs merchants and others on their engagements.”
We concluded with some of Buker’s thoughts on how multiple stakeholders can use the information that 6clicks Pixel Perfect™ solution creates, up and down the chain in an organization, literally from the technical folks on the front lines up to the Board of Directors. She emphasized “what this functionality has to be, has to be up and down, high level, low level, right to Board members who have their monthly meeting or senior management that maybe, managing multiple projects across various lines of business. They don’t always know what they’re looking at when they look at some of these low-level risk, detailed reports or even data in general. We must make it digestible for them. We have to make it meaningful for them. We have to be able to produce reports and analytics at a really high level.”
Buker had a great phrase, that it all has to be in an “accordion range. That is, from highest level to lowest level and then back.  And that’s really like the secret sauce of reporting and analytics in the GRC space. Being able to take it full circle from driving change to implementing change and all of the various levels in any organization.”
Join us tomorrow where we conclude our series by visiting with company co-founder Ant Stevens as we explore what’s next for 6clicks.
For more information on 6clicks, check out their website here.

Categories
Blog

Producing Audit-Ready Report with 6clicks Pixel Perfect™

I recently had the chance to visit with 6clicks Chief Technology Officer, Dr. Heather Buker and we take up producing an audit-ready report with 6clicks Pixel Perfect™ for a sponsored podcast series. You can check out her episode here.
Buker is the transitional resource who takes the engineering and tech part of the 6clicks solution and puts it into a workable solution for customers. She says of herself, “you can see me, affectionately, as a translator if you will of the product and functionality and how that translates to business use cases, value propositions and things that clients really care about.” She went on to note, “functionality is only as good as the value proposition that it serves. I am here to make sure that those two things meet. I’m kind of the bridge.”
It used to be that the byword for data and data processing was GIGO (garbage in, garbage out). However, now it has evolved to “data is only as good as what you can get out of it. So, it’s not enough to just collect the data and give organizations a sort of single source of truth for their GRC programs anymore. Right? That’s what every SAS solution in the GRC space is really striving for. But, furthermore, users want easy, efficient ways to get that data out of the tool. So, it’s always a bit of an uphill battle when it comes to reporting, you know, there’s a constant flow of new requirements. Every organization has a different use case that needs supporting et cetera, and users have to be able to get their GRC data out of the tool and make it digestible for a wide variety of audiences. And that’s really the key right there. The wide variety of audiences we’re trying to satisfy with reporting needs, what good is it to track their risk and compliance data? If they can’t show/prove to an auditor or their Board members on their current risk posture at the monthly meeting, simply put it isn’t. So, assets reporting is, and frankly always will be, a critical piece of the GRC SAS solution puzzle”.
The problem that the 6clicks Pixel Perfect™ helps solve is repeatability. As Buker explained, “The more we can make GRC processes repeatable, even when it comes to reporting, the easier our platform will be to use and the more widely adopted we can become. To solve for this in the reporting world, we decided to automate report generation.” I asked her for an example, and she said, “6clicks Pixel Perfect™ can take a completed PCI DSS assessment and return Section Six of the report on compliance, filled out an audit ready.” This means a template mandated by the Security Standards Council to drive this functionality and ensure the report is ready to be submitted and properly formatted when generated. All an organization has to do is complete their PCI assessment and the platform will perform our “6clicks magic on the other side and deliver the PCI form from those assessment results minus all of the hassle. We are talking hours upon hours of time savings for QSAs merchants and others on their engagements.”
We concluded with some of Buker’s thoughts on how multiple stakeholders can use the information that 6clicks Pixel Perfect™ solution creates, up and down the chain in an organization, literally from the technical folks on the front lines up to the Board of Directors. She emphasized “what this functionality has to be, has to be up and down, high level, low level, right to Board members who have their monthly meeting or senior management that maybe, managing multiple projects across various lines of business. They don’t always know what they’re looking at when they look at some of these low-level risk, detailed reports or even data in general. We must make it digestible for them. We have to make it meaningful for them. We have to be able to produce reports and analytics at a really high level.”
Buker had a great phrase, that it all has to be in an “accordion range. That is, from highest level to lowest level and then back.  And that’s really like the secret sauce of reporting and analytics in the GRC space. Being able to take it full circle from driving change to implementing change and all of the various levels in any organization.”
For more information on 6clicks, check out their website here.

Categories
Innovation in Compliance

Series Spotlight: Revolutionizing GRC with 6clicks: Part 3 – Curating and Maintaining Robust GRC Content


Welcome to this special podcast series, Series Spotlight: Revolutionizing GRC with 6clicks, sponsored by 6clicks. This week I visit with Joe Schorr, Vice President (VP) of Global Channel Sales, Andrew Robinson, co-founder and Chief Information Security Officer, Stephen Walter, head of Marketing, Dr. Heather Buker, Chief Technology Officer, and Ant Stevens, co-founder and Chief Executive Officer. Over the series, we will break down 6ckicks Hub and Spoke approach, utilizing Artificial Intelligence (AI) and Machine Learning in governance, risk and compliance (GRC), curating and maintaining a robust GRC content, producing audit ready reports, and look at what’s next for 6clicks down the road. In Part 3, I am joined Stephen Walter to discuss curating and maintaining robust GRC content.
One of the more difficult issues facing the GRC professional or someone new to the space is the seemingly complexity of the issues in GRC. They can literally be overwhelmed. In a multinational organization there will be a myriad of different regulations. Of course, there is data literally across the organization, in multiple silos. Even if the compliance or GRC professional can get access to the data, they probably cannot interpret the data or, more importantly, know how to use it going forward.
Walter said that for someone just starting out at a budding GRC program “navigating the complexities of achieving and maintaining, compliance within a number of regulations and or authorities can be quite daunting.” With all these regulatory compliance requirements, comes content needs. Curating the needed content which could be regulatory or compliance content or it could be as wide and as varied as “content assessments, audits, frameworks, best practice, risk libraries, policies, and control sets.” Providing and housing all of these can present some serious challenges. Next, overlay that content spread through different management systems like Google or SharePoint; together with mailboxes and, as Walter notes, “it really creates chaos. Next consider outdated regulations, leading to outdated risk management policies and other required internal content materials, can all equal noncompliance with the legislations.”
One interesting observation was that because risk and compliance has been elevated in organizations, right up to the Board agenda, these conversations are resonating with companies. This allows smaller companies to have more robust risk and compliance functions through the use of GRC tools and advisors. Walter is seeing much less of a top-down approach where unilateral decisions are made the top. It can now be a more bottom-up approach, democratizing the approach to risk and compliance and bringing in the people that are actually in the trenches to convey their message upward in the company as well. This can make the job of a GRC professional much easier with the wide variety of stakeholders involved, there is something for everyone. A GRC tool allows for the jettisoning of outdated methods and processes so a company can innovate itself into a better system.
We turned to the pace of change brought about by the pandemic. As I have noted elsewhere, we had three to five years of change in 2020 alone. This was certainly true of the GRC space. Walter noted that 2020 and 2021 were “massive storms for regulators.” He pointed to cyber and information security as key areas that saw massive change both in the number of cybercrimes and the regulatory responses to them. Now overlay that with the increasingly complex system of regulations and rules that companies have to navigate, such as General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and even the cybersecurity laws of the People’s Republic of China (PRC), and you begin to see how risk in one area has grown almost exponentially. Of course, other regulatory responses from the US to Australia have been forthcoming so multi-national organizations face a wealth of new regulatory challenges. Simply keeping up with the regulatory changes can be daunting and using spreadsheets and word documents are simply not enough in 2021.
We then discussed the pace of change both on the regulatory and technology side. Many companies are still stuck in what Walter called the “Dinosaur Age” of using basic word processing skills and tools. Regulators in each country expect companies to know, understand and follow their respective laws and regulations. What is the response of a small to medium sized organization, who is resistant to the required change management and indeed in some ways is “a weird kind of cognitive dissonance?” However, this is the precise reason “why GRC solution tools are going gangbusters for affordability reasons at the moment.” Yet Walter cautioned “you need to be careful what GRC tool you adopt and make sure it’s not just a legacy tool with a facelift.”
Walter concluded with a few thoughts on the 6clicks content library, which he termed “massively rich.” It all begins with authority documents which are the standards, laws, and regulations. From there you move down to policies, which are the measures you put in place to mitigate risk or demonstrate compliance with the controls within them. Next these controls have responsibilities, such as “who does what, how often and when the control measures, which those responsibilities are maintain the effectiveness of that control.” Those are all there already inside the 6clicks content library and you can create your own.
This allows a GRC professional or a risk and compliance professional to put all of these documents into a system and manage it all in the one place. It creates what Walter called “a single point of truth, where you can keep an eye on everything, both internally and externally with the hub and spoke, which is multi entity.” If you are at a company with multiple entities running multiple autonomous GRC programs, “you can keep an eye on that too.” Finally, the control tool authority gap analysis with an AI engine can then identify where those issues may exist. As Walter concluded, “I think once you bring all of that together, you’ve really got something very, very special.”
Join us tomorrow where we take up the topic of producing audit-ready reports with 6clicks Pixel Perfect™, with 6clicks Chief Technology Officer, Dr. Heather Buker.
For more information on 6clicks, check out their website here.

Categories
Blog

Curating and Maintaining Robust GRC Content

I recently had the chance to visit with Stephen Walter Hhead of Marketing at 6clicks to discuss curating and maintaining robust GRC content for a sponsored podcast series. You can check out his podcast episode here. One of the more difficult issues facing the GRC professional or someone new to the space is the seemingly complexity of the issues in GRC. They can literally be overwhelmed. In a multinational organization there will be a myriad of different regulations. Of course, there is data literally across the organization, in multiple silos. Even if the compliance or GRC professional can get access to the data, they probably cannot interpret the data or, more importantly, know how to use it going forward.
Walter said that for someone just starting out at a budding GRC program “navigating the complexities of achieving and maintaining, compliance within a number of regulations and or authorities can be quite daunting.” With all these regulatory compliance requirements, comes content needs. Curating the needed content which could be regulatory or compliance content or it could be as wide and as varied as “content assessments, audits, frameworks, best practice, risk libraries, policies, and control sets.” Providing and housing all of these can present some serious challenges. Next, overlay that content spread through different management systems like Google or SharePoint; together with mailboxes and, as Walter notes, “it really creates chaos. Next consider outdated regulations, leading to outdated risk management policies and other required internal content materials, can all equal noncompliance with the legislations.”
One interesting observation was that because risk and compliance has been elevated in organizations, right up to the Board agenda, these conversations are resonating with companies. This allows smaller companies to have more robust risk and compliance functions through the use of GRC tools and advisors. Walter is seeing much less of a top-down approach where unilateral decisions are made the top. It can now be a more bottom-up approach, democratizing the approach to risk and compliance and bringing in the people that are actually in the trenches to convey their message upward in the company as well. This can make the job of a GRC professional much easier with the wide variety of stakeholders involved, there is something for everyone. A GRC tool allows for the jettisoning of outdated methods and processes so a company can innovate itself into a better system.
We turned to the pace of change brought about by the pandemic. As I have noted elsewhere, we had three to five years of change in 2020 alone. This was certainly true of the GRC space. Walter noted that 2020 and 2021 were “massive storms for regulators.” He pointed to cyber and information security as key areas that saw massive change both in the number of cybercrimes and the regulatory responses to them. Now overlay that with the increasingly complex system of regulations and rules that companies have to navigate, such as General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and even the cybersecurity laws of the People’s Republic of China (PRC), and you begin to see how risk in one area has grown almost exponentially. Of course, other regulatory responses from the US to Australia have been forthcoming so multi-national organizations face a wealth of new regulatory challenges. Simply keeping up with the regulatory changes can be daunting and using spreadsheets and word documents are simply not enough in 2021.
We then discussed the pace of change both on the regulatory and technology side. Many companies are still stuck in what Walter called the “Dinosaur Age” of using basic word processing skills and tools. Regulators in each country expect companies to know, understand and follow their respective laws and regulations. What is the response of a small to medium sized organization, who is resistant to the required change management and indeed in some ways is “a weird kind of cognitive dissonance?” However, this is the precise reason “why GRC solution tools are going gangbusters for affordability reasons at the moment.” Yet Walter cautioned “you need to be careful what GRC tool you adopt and make sure it’s not just a legacy tool with a facelift.”
Walter concluded with a few thoughts on the 6clicks content library, which he termed “massively rich.” It all begins with authority documents which are the standards, laws, and regulations. From there you move down to policies, which are the measures you put in place to mitigate risk or demonstrate compliance with the controls within them. Next these controls have responsibilities, such as “who does what, how often and when the control measures, which those responsibilities are maintain the effectiveness of that control.” Those are all there already inside the 6clicks content library and you can create your own.
This allows a GRC professional or a risk and compliance professional to put all of these documents into a system and manage it all in the one place. It creates what Walter called “a single point of truth, where you can keep an eye on everything, both internally and externally with the hub and spoke, which is multi entity.” If you are at a company with multiple entities running multiple autonomous GRC programs, “you can keep an eye on that too.” Finally, the control tool authority gap analysis with an AI engine can then identify where those issues may exist. As Walter concluded, “I think once you bring all of that together, you’ve really got something very, very special.”
For more information on 6clicks, check out their website here.

Categories
Innovation in Compliance

Series Spotlight: Revolutionizing GRC with 6clicks: Part 2 – Utilizing Machine Learning and AI in Your GRC Practice


Welcome to this special podcast series, Series Spotlight: Revolutionizing GRC with 6clicks, sponsored by 6clicks. This week I visit with Joe Schorr, Vice President (VP) of Global Channel Sales, Andrew Robinson, co-founder and Chief Information Security Officer, Stephen Walter, head of Marketing, Dr. Heather Buker, Chief Technology Officer, and Ant Stevens, co-founder and Chief Executive Officer. Over the series, we will break down 6ckicks Hub and Spoke approach, utilizing Artificial Intelligence (AI) and Machine Learning (ML) in governance, risk and compliance (GRC), curating and maintaining a robust GRC content, producing audit ready reports, and look at what’s next for 6clicks down the road. In Part 2, I am joined by Andrew Robinson to discuss utilizing ML and AI into your GRC practice.
We began with the very basic proposition that many compliance professionals and others are scared by AI in the GRC space. Robinson believes it is based on the fear of the unknown, both to many inside and outside of GRC. Yet, increasingly GRC professionals see how AI and ML can be used within reg tech, technology companies, as well as in the compliance space to move forward through taking advantage of natural language processing. Robinson explained this is a component of ML that can help understand text. There is a lot of text in the world of compliance. When you can then overlay an AI component on all the standards, laws, and regulations any multi-national organization must follow, you begin to see the power of such a tool.
We next turned to dealing with compliance across multiple jurisdictions. For GRC professionals working internationally, Robinson said they must “maintain mappings or what you commonly call in the US ‘crosswalks of compliance’ frameworks.” He went on to explain these frameworks are “useful because it can allow a consultant to help a client understand how they might stack up against a particular standard. Robinson provided the example that if an organization is already complying with ISO 27,001, through these mappings, it might be able to give them an idea about what that level of compliance they have through the lens of a different framework or standard that may be relevant like the NIST cybersecurity framework.”
Yet the 6clicks approach is much more than a regulatory approach. It is a business centered approach which provides discreet business advantages. Indeed, this is one of the reasons I find the 6clicks approach so exciting as it creates a business advantage by performing quality GRC. These tools increase efficiency and profitability. Robinson went further noting, that “we come out with a public estimate of 10 times saving in using machine learning to assist with building up GRC mapping.” That is some serious productivity savings and increase.
However, this productivity increase and potential cost saving does not remove the human element. This final concept is critical in moving forward. Robinson said, “I’m of the view that humans have a very important role to play. This role is supervising the machine learning models to make sure that what they are producing and the results that they are coming out with are accurate and reliable.” If they are using spreadsheets and word documents; they should, come to terms with the fact that companies and clients no longer want spreadsheets and word documents as a deliverable. GRC professionals and consultants need to need to start using similar tools and improving the way that they service their clients. Clients, both in-house and external, are starting to demand and look for this approach. Robinson noted, “the reality is that if you are doing anything else it will be seen as subpar, and no one wants to be delivering sort of subpar products. I look for a solution that can meet your customer expectations and help you deliver your services long into the future.”
We concluded by looking at GRC tools with ML and AI at a strategic level, at the senior executive level and even at the Board of Director level. Robinson feels that management at this level “understands the benefits because they understand the problem.” Their goals are to simplify compliance while understanding risk exposure. From this point, management can move to create a risk-based solution. Robinson believes, these are the types of “business problems that executives are dealing with on a daily basis. Having awareness of the machine learning model can help them navigate that complexity.” From where I sit, when you can take a tool that improves business process efficiency and use it to increase profitability through more effectual risk management it is a win for everyone.
Join us tomorrow where we take up the topic of curating and maintaining robust GRC content. With 6clicks Head of Marketing, Stephen Walter.
For more information on 6clicks, check out their website here.

Categories
Blog

Utilizing Machine Learning and AI in Your GRC Practice

I recently had the chance to visit with Andrew Robinson to discuss utilizing ML and AI into your GRC practice for a sponsored podcast.  Robinson is the co-founder and Chief Information Security Officer at 6clicks. You can check out Robinson’s podcast episode here.
We began with the very basic proposition that many compliance professionals and others are scared by AI in the GRC space. Robinson believes it is based on the fear of the unknown, both to many inside and outside of GRC. Yet, increasingly GRC professionals see how AI and ML can be used within reg tech, technology companies, as well as in the compliance space to move forward through taking advantage of natural language processing. Robinson explained this is a component of ML that can help understand text. There is a lot of text in the world of compliance. When you can then overlay an AI component on all the standards, laws, and regulations any multi-national organization must follow, you begin to see the power of such a tool.
We next turned to dealing with compliance across multiple jurisdictions. For GRC professionals working internationally, Robinson said they must “maintain mappings or what you commonly call in the US ‘crosswalks of compliance’ frameworks.” He went on to explain these frameworks are “useful because it can allow a consultant to help a client understand how they might stack up against a particular standard. Robinson provided the example that if an organization is already complying with ISO 27,001, through these mappings, it might be able to give them an idea about what that level of compliance they have through the lens of a different framework or standard that may be relevant like the NIST cybersecurity framework.”
Yet the 6clicks approach is much more than a regulatory approach. It is a business centered approach which provides discreet business advantages. Indeed, this is one of the reasons I find the 6clicks approach so exciting as it creates a business advantage by performing quality GRC. These tools increase efficiency and profitability. Robinson went further noting, that “we come out with a public estimate of 10 times saving in using machine learning to assist with building up GRC mapping.” That is some serious productivity savings and increase.
However, this productivity increase and potential cost saving does not remove the human element. This final concept is critical in moving forward. Robinson said, “I’m of the view that humans have a very important role to play. This role is supervising the machine learning models to make sure that what they are producing and the results that they are coming out with are accurate and reliable.” If they are using spreadsheets and word documents; they should, come to terms with the fact that companies and clients no longer want spreadsheets and word documents as a deliverable. GRC professionals and consultants need to need to start using similar tools and improving the way that they service their clients. Clients, both in-house and external, are starting to demand and look for this approach. Robinson noted, “the reality is that if you are doing anything else it will be seen as subpar, and no one wants to be delivering sort of subpar products. I look for a solution that can meet your customer expectations and help you deliver your services long into the future.”
We concluded by looking at GRC tools with ML and AI at a strategic level, at the senior executive level and even at the Board of Director level. Robinson feels that management at this level “understands the benefits because they understand the problem.” Their goals are to simplify compliance while understanding risk exposure. From this point, management can move to create a risk-based solution. Robinson believes, these are the types of “business problems that executives are dealing with on a daily basis. Having awareness of the machine learning model can help them navigate that complexity.” From where I sit, when you can take a tool that improves business process efficiency and use it to increase profitability through more effectual risk management it is a win for everyone.
For more information on 6clicks, check out their website here.

Categories
Blog

Managing a Multi-Entity GRC Architecture with 6clicks Hub and Spoke

I recently visited with Joe Schorr about the managing a multi-entity GRC architecture with 6clicks hub and spoke for a sponsored podcast series. You can check out Joe’s podcast here. Joe is the VP and Global Head of Strategic Partnerships & Alliances at 6clicks. He handles global channels, which encompasses service provider partners and technology partners and the traditional channel resale role. We turned to the ‘hub and spoke’ model which 6clicks advocates. He said that 6clicks pioneered the evolution from a multi-tenant or federated approach of GRC architecture to hub and spoke model. The difference is that in a multi-tenant or federated approach it is seen as much more vertical or up and down the chain. But the hub and spoke is “just like with airline travel, back in the old days of networking, where we had hubs, routers and switches and the computers all hooked to a hub.”
Schorr went to explain, “in our model, we’re using what we call center of excellence, think of it as the headquarters or the hub or the terminal and an airport. And they have the different wings go out to the different entities.” The architecture can “pull different types of data and analytics from those entities, or those folks are out there bringing them back into the center of excellence.” Additionally, “the center of excellence by the same token can have a lot of centralized benefits like templates and controls which they are able to push that out at the same time to all these different entities.” Schorr believes it is “the holy grail of what people have been looking for; to control from a central location really complex information that require a ton of data flowing both ways.”
Moreover, the hub and spoke approach facilitates a GRC conversation with a wide variety of people. This could include compliance professionals, lawyers, other non-technical folks at the C-suite or executive level and certainly in the Board level and everywhere in between. It helps to define everyone’s role in the GRC and broader risk management process. Schorr said, “That’s beauty of it because you can craft it. For instance, in a Private Equity company with multiple portfolio companies, there is much sensitive information and, not everybody in every portfolio company needs to see what’s going on in every other portfolio company. This approach allows an organization to segregate all that data yet allows you the freedom to utilize the information you want to as access control is built into the architecture.”
We continued on the example of the private equity firm with multiple portfolio companies, which are sometimes in the same industry, but sometimes not. There is always a wide variety of data and disparate sources of data that you have to pull in. This disparate data has to be collected, in a manner that can be utilized by the private equity firm, the corporate office, whatever the hub might be. However, the stakeholders, corporate subsidiaries or portfolio companies at the end of the spoke might need that data to make tactical if not strategic decisions. Next, overlay reporting to senior management and then a Board of Directors, all in a changing regulatory environment. This hub and spoke architecture can be an incredibly powerful way to collect and utilize data. Schorr explained, “if you are hired to do a risk assessment against 200 portfolio companies, you have a massive set of risk data in all kinds of different things. You have collected data; you have interviews, you have done vulnerability scanning, you’ve done risk assessments, third party risk assessments, vendor assessments, everything you could possibly imagine. That is all rolled up collected somewhere and a bunch of smart people look at it and we’re all trying to grade it and do things manually and push it around. And at the end of the day, just like you said, this is really important.”
This approach allows you to prepare a Board level C-suite report. You can also create a functional management report for middle management as that level is usually the one which must read this and decipher it and then push it out. Schorr said, “there is also a bottom layer which a report needs to go out to. It’s almost a raw data level report that goes out to the people in the field or the people at those portfolio companies who are responsible for fixing things” the hub and spoke approach to 6clicks GRC architecture allows you to work on those levels.
For more information on 6clicks, check out their website here.